diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go
index e345dca0..84e5da99 100644
--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -3,9 +3,12 @@ package oidc
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
 	"strings"
@@ -34,6 +37,10 @@ type Config struct {
 
 	Scopes []string `json:"scopes"` // defaults to "profile" and "email"
 
+	RootCAs []string `json:"rootCAs"`
+
+	InsecureSkipVerify bool `json:"insecureSkipVerify"`
+
 	// Override the value of email_verified to true in the returned claims
 	InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`
 
@@ -105,8 +112,37 @@ func knownBrokenAuthHeaderProvider(issuerURL string) bool {
 // Open returns a connector which can be used to login users through an upstream
 // OpenID Connect provider.
 func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, err error) {
+	pool, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, err
+	}
+
+	tlsConfig := tls.Config{RootCAs: pool, InsecureSkipVerify: c.InsecureSkipVerify}
+	for _, rootCA := range c.RootCAs {
+		if !tlsConfig.RootCAs.AppendCertsFromPEM([]byte(rootCA)) {
+			return nil, fmt.Errorf("cannot add CA from PEM")
+		}
+	}
+
 	ctx, cancel := context.WithCancel(context.Background())
 
+	httpClient := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tlsConfig,
+			Proxy:           http.ProxyFromEnvironment,
+			DialContext: (&net.Dialer{
+				Timeout:   30 * time.Second,
+				KeepAlive: 30 * time.Second,
+				DualStack: true,
+			}).DialContext,
+			MaxIdleConns:          100,
+			IdleConnTimeout:       90 * time.Second,
+			TLSHandshakeTimeout:   10 * time.Second,
+			ExpectContinueTimeout: 1 * time.Second,
+		},
+	}
+	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
+
 	provider, err := oidc.NewProvider(ctx, c.Issuer)
 	if err != nil {
 		cancel()
@@ -150,6 +186,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
 		verifier: provider.Verifier(
 			&oidc.Config{ClientID: clientID},
 		),
+		httpClient:                httpClient,
 		logger:                    logger,
 		cancel:                    cancel,
 		insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
@@ -189,6 +226,7 @@ type oidcConnector struct {
 	preferredUsernameKey      string
 	emailKey                  string
 	groupsKey                 string
+	httpClient                *http.Client
 }
 
 func (c *oidcConnector) Close() error {
@@ -238,11 +276,14 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
 	if errType := q.Get("error"); errType != "" {
 		return identity, &oauth2Error{errType, q.Get("error_description")}
 	}
-	token, err := c.oauth2Config.Exchange(r.Context(), q.Get("code"))
+
+	ctx := context.WithValue(r.Context(), oauth2.HTTPClient, c.httpClient)
+
+	token, err := c.oauth2Config.Exchange(ctx, q.Get("code"))
 	if err != nil {
 		return identity, fmt.Errorf("oidc: failed to get token: %v", err)
 	}
-	return c.createIdentity(r.Context(), identity, token, createCaller)
+	return c.createIdentity(ctx, identity, token, createCaller)
 }
 
 // Refresh is used to refresh a session with the refresh token provided by the IdP
@@ -253,6 +294,8 @@ func (c *oidcConnector) Refresh(ctx context.Context, s connector.Scopes, identit
 		return identity, fmt.Errorf("oidc: failed to unmarshal connector data: %v", err)
 	}
 
+	ctx = context.WithValue(ctx, oauth2.HTTPClient, c.httpClient)
+
 	t := &oauth2.Token{
 		RefreshToken: string(cd.RefreshToken),
 		Expiry:       time.Now().Add(-time.Hour),
